com.amazonaws.AmazonClientException: com.amazonaws.AmazonServiceException: Roles may not be assumed by root accounts. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;
I created a role and it's Trust Relationship is :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<awsID>:root",
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I even tried creating a policy and assigned it to my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::secorbackup"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::secorbackup/*"
]
}
]
}
Nothing seems to work. I'm getting the same error. I am using pinterest/secor for log persistence from kafka to s3. Any suggestions?
Roles may not be assumed by root accounts.
This error means exactly what it says.
You cannot assume a role while using a root account, under any circumstances. You have to use an IAM account.
There is no other workaround for this. The behavior is by design.